Sensitive Data Protection: Media Hysteria or a Call to Action?

by Thomas J. Meehan
September 1, 2006

Despite well-publicized federal sensitive data protection, Personal Identity Protection (PIP) and Security Breach Notification (SBN) legislation, such as Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLB), reports of personal data security breaches due to stolen or missing backup tapes continue to appear almost daily. Disk and tape storage containing sensitive data is released to the public daily when leases on enterprise storage systems expire and are returned to lease holders. No one records how much corporate and personal data is exposed when this equipment is put out into the pre-owned market, but stories abound of disk and tape containing sensitive corporate and personal data being available on eBay. The Privacy Rights Clearinghouse (www.privacyrights.org/ar/ChronDataBreaches.htm) reported at least 80 data privacy incidents in 2006 just through April, affecting potentially 5 million individuals. To date, 33 U.S. states have serious PIP and SBN legislation. The majority join California to require that companies notify customers any time “unencrypted” personal information is lost. Seven of these states went further, requiring secure erasure of all electronic disk and tape storage before disposal.

Ignorance Is No Defense

Current PIP and SBN legislation as well as Payment Card Industry Data Security Standard (PCIDSS) guidelines all impose requirements to erase disk storage/tape media before disposing of it and harsh penalties when unencrypted private/sensitive data is lost, stolen, or can’t be accounted for. “Unencrypted” means when either the data isn’t encrypted or is encrypted with a key that also has been compromised. This campaign to protect personal identity information also is fueling a new aggressiveness on the part of federal regulatory agencies; the Federal Trade Commission (FTC) recently imposed penalties totaling $15 million on one corporation for failure to meet its data protection obligations. What does this mean for your organization? Don’t be caught unaware or become a victim of circumstance. Instead, be proactive and ensure you’re on the right side of the law. Review your current data protection, business continuance, and business resiliency software to ensure you meet today’s stricter requirements.

Protect Data Leaving Your Control

Traditionally, large enterprise mainframe customers have had no difficulty meeting regulatory obligations concerning protection of sensitive data. They’ve had well-thought-out disaster recovery plans, regularly scheduled rehearsals, and security access control systems that prevent unauthorized access to private and sensitive data under their control. The focus of the new legislation and industry standards is to ensure an equally high level of protection for sensitive and private data that’s on disk and tape leaving their physical control.